b'NRC: OIG/97A-06 - Survey of NRC Actions to Secure its Sensitive Information Systems\nSkip to Main Page Content\nSkip to Search\nSkip to Site Map Navigation\nSkip to Footer Links\nHome\nFAQ\nGlossary\nFacility Locator\nWhat\'s New\nSite Help\nIndex A-Z\nContact Us\nBrowse Aloud\nEmail Updates\nSearch NRC\nReport a Safety Concern\nNuclear Reactors\nPower Reactors\nResearch & Test Reactors\nOperating\xc2\xa0Reactors\nOperator\xc2\xa0Licensing\nNew Reactors\nAdvanced Reactors\nOperator Licensing for New Reactors\nNuclear Reactor Quick Links\nNuclear Materials\nSpecial\xc2\xa0Nuclear\xc2\xa0Material\nSource\xc2\xa0Material\nByproduct\xc2\xa0Material\nMed,\xc2\xa0Ind, & Academic Uses\nSource\xc2\xa0Materials\xc2\xa0Facilities\nUranium\xc2\xa0Recovery\nFuel\xc2\xa0Cycle\xc2\xa0Facilities\nMaterials Transportation\nNuclear Materials Quick Links\nRadioactive Waste\nDecommissioning of Nuclear Facilities\nLow-Level\xc2\xa0Waste\nWaste Incidental to Reprocessing\nHigh-Level\xc2\xa0Waste\nUranium\xc2\xa0Mill\xc2\xa0Tailings\nLow-Level\xc2\xa0Waste\xc2\xa0Disposal\nHigh-Level\xc2\xa0Waste\xc2\xa0Disposal\nStorage of Spent Nuclear Fuel\nTransporation of Spent Nuclear Fuel\nRadioactive Waste Quick Links\nNuclear Security\nDomestic\xc2\xa0Safeguards\nInformation\xc2\xa0Security\nRadioactive\xc2\xa0Material Security\nContact Us\nPublic Meetings & Involvement\nThe NRC Approach to Open\xc2\xa0Government\nAbout\xc2\xa0Meetings\xc2\xa0Open\xc2\xa0to the Public\nConferences\xc2\xa0&\xc2\xa0Symposia\nDocuments\xc2\xa0for\xc2\xa0Comment\nFacilitating\xc2\xa0Stakeholder\xc2\xa0Involvement\nNRC\xc2\xa0Information\xc2\xa0Quality\xc2\xa0Guidelines\nSubscribe to E-mail Updates\nCommission Schedule\nPublic\xc2\xa0Meeting\xc2\xa0Schedule\nAdjudications (Hearings)\nNRC Library\nBasic References\nDocument Collections\nADAMS Public Documents\nPublic Document Room\nGet Copies of Documents\nFOIA & Privacy Act Requests\nPhotos & Video\nRecords Management\nWithholding of Sensitive Information\nFAQ Index\nElectronic\xc2\xa0Hearing\xc2\xa0Docket\nAbout NRC\nThe Commission\nOrganization & Functions\nGoverning Legislation\nPlans,\xc2\xa0Budget,\xc2\xa0&\xc2\xa0Performance\nLocations\nHistory\nValues\nDirection-Setting & Policymaking\nRadiation Protection\nFire Protection\nSafety Culture\nHow We Regulate\nEmergency Preparedness & Response\nPublic Affairs\nCongressional Affairs\nInternational Programs\nState & Tribal Programs\nAlternative Dispute Resolution Programs\nCivil Rights\nContact Us\nCareer Opportunities\nContracting Opportunities\nGrant Opportunities\nPrint\nHome > NRC Library  > Document Collections > Inspector General\nReports > 1997 > OIG/97A-06\nOIG/97A-06 - Survey of NRC Actions to Secure its Sensitive Information Systems\nContents\nOverview\nReport Synopsis\nIntroduction\nResults of Survey\nConclusions\nObjectives, Scope, and Methodology\nMajor Contributors to this Report\nGlossary:  Office of the Inspector General Products\nOverview\nOffice of the Inspector General U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001 March 21, 1997\nMemorandum To:\nAnthony J. Galante Chief Information Officer\nFrom:\nThomas J. Barchi Assistant Inspector General for Audits\nSubject:\nSurvey of NRC Actions to Secure its Sensitive Information Systems\nAttached is the Office of the Inspector General\'s (OIG) audit report entitled "Survey of NRC Actions to Secure its Sensitive Information Systems".  In December 1992, OIG issued an audit report entitled "Significant Weaknesses Hamper NRC\'s Computer Security Program" which contained recommendations for strengthening the program.  This work focused on (1) following up on the implementation of those recommendations and (2) gathering current information on NRC\'s protection of its sensitive information systems.\nOur work found that NRC has implemented our prior recommendations and taken\ninitiatives to strengthen the computer security program. Given the NRC initiatives\nand other Government activities underway in the computer security area, we have\ndecided not to perform further work at this time. Because we are making no recommendations\nto the agency regarding our findings, we are issuing this report without obtaining\nformal agency comments.\nReport Synopsis\nLos Alamos National Laboratory performed an independent review of the Nuclear Regulatory Commission\'s (NRC)  computer security program in 1991 which identified significant weaknesses regarding the protection of NRC sensitive information systems.  In December 1992, the Office of the Inspector General (OIG) noted that many of these weaknesses had not been corrected.  OIG issued an audit report entitled "Significant Weaknesses Hamper NRC\'s Computer Security Program"(1) which recommended that NRC (1) develop a detailed action plan to address the Los Alamos findings, and (2) identify the weaknesses as material in the annual report required by the Federal Managers\' Financial Integrity Act.  NRC developed and implemented a plan to address the weaknesses, and reported all weaknesses as corrected in November 1994.\nThe objectives of this survey were to follow up on the 1992 recommendations\nand to gather current information on NRC\'s protection of its sensitive information\nsystems. Our survey found that actions taken by NRC are complete and appear\nto have strengthened the security of NRC\'s sensitive information systems. We\nalso found that there are a number of Government-wide and NRC initiatives underway\nin the computer security area. Given the status of these initiatives, we have\ndecided not to conduct further work at this time. However, we will follow up\nat a later date when these efforts are complete.\nIntroduction\nIn December 1992, the Office of the Inspector General (OIG) issued an audit report entitled "Significant Weaknesses Hamper NRC\'s Computer Security Program"(2).  This report was based on information from an independent review of the Nuclear Regulatory Commission\'s (NRC) computer security program by the Los Alamos National Laboratory.  Los Alamos reported significant findings regarding the protection of NRC sensitive information systems(3).  To strengthen the NRC computer security program, OIG recommended that the Director, Office of Information Resources Management (IRM), (1) develop a detailed action plan to address the Los Alamos findings, and (2) identify the weaknesses in the computer security program as a material weakness as required by Office of Management and Budget (OMB) Circular No. A-123 and Section 2 of the Federal Managers\' Financial Integrity Act (FMFIA), P.L. 97-255.\nNRC undertook a series of corrective actions to improve its computer security\nprogram, and reported that all actions were complete as of November 1994. The\nobjectives of this survey were to (1) follow up on the implementation of the\n1992 recommendations and (2) gather current information on NRC\'s protection\nof its sensitive information systems. Additional information regarding the objectives,\nscope, and methodology can be found in Appendix I of this report.\nBackground\nIn fulfilling the agency\'s mission, NRC management and its technical and administrative staffs depend heavily on data obtained from automated information systems maintained within the agency.  Consequently, protecting these information systems and their data from theft, abuse, and tampering is vitally important to the NRC.  This is particularly true for sensitive information systems.  The Financial Management, Computer Security, and Administrative Support Staff, IRM, is responsible for managing NRC\'s computer security program.\nIn November 1991, Los Alamos National Laboratory completed an independent compliance review of NRC\'s computer security program.  Los Alamos reported numerous findings which raised significant concerns regarding the adequacy of NRC\'s computer security program.  While NRC had implemented half of the recommendations, the agency did not have an implementation plan for the remaining weaknesses which raised serious concerns about the protection of NRC\'s sensitive information systems:\nSystems tests, certification(4) and accreditation(5)\nwere not being performed;\nConfiguration management(6) guidelines were\nnot established;\nNRC had not identified potential threats;\nThe NRC computer security policy was outdated; and\nThe staffing and organizational placement of the computer security function\nwere questionable.\nNRC reported these conditions as a material weakness in its 1992 FMFIA report and, in January 1993, developed a plan to address the weaknesses.  The plan was fully implemented and the material weakness was closed in November 1994.  The following table details how the weaknesses were addressed:\nWeakness\nSolution\nDate Completed\nSystems tests, certification and accreditation\nwere not performed.\nUnder contract, Los Alamos developed a methodology for\nsystems tests of differing computing environments. These minimum controls\nwere included in the revised computer security policy, Management Directive\n12.5 Handbook.\nIncluded in draft Management Directive in July 1993. Sensitive\nsystems were certified and accredited as of November 1994. Management Directive\nwas finalized in May 1995.\nConfiguration management guidelines did not\nexist.\nUnder contract, Los Alamos established criteria for configuration\nmanagement changes for systems processing sensitive data. This criteria\nwas included in the revised computer security policy, Management Directive\n12.5 Handbook.\nIncluded in draft Management Directive in July 1993. Management\nDirective was finalized in May 1995.\nThreats were not identified.\nUnder contract, the National Institute for Standards and\nTechnology developed a threat profile and training materials.\nThreat analysis study delivered in July 1993. Training\nmaterials delivered in August 1993.\nComputer security policy was outdated.\nUnder contract, Los Alamos developed NRC Management Directive\n12.5 Handbook.\nManagement Directive draft delivered in July 1993. Management\nDirective finalized in May 1995.\nStaffing and organizational placement of the\ncomputer security function was questionable.\nIRM reorganized; computer security function reports directly\nto the Director, IRM.\nFebruary 1994.\nResults of Survey\nOur survey found that NRC has satisfactorily completed its actions to remediate the weaknesses identified by Los Alamos.  The systems we sampled had documentation regarding systems testing, threats, configuration management, certification, and accreditation.  NRC has developed a threat analysis and has included threat information in Management Directive 12.5 as well as in the annual computer security awareness training.  This training is mandatory for all agency employees.  The revised Management Directive and reorganization of IRM have addressed the security concerns raised by the Los Alamos study.  We reviewed a sample of NRC\'s sensitive information systems and found that the Management Directive guidance was followed.\nCurrently, there are a number of Government-wide and NRC initiatives underway\nin the computer security area. In recognition of the potential threats to national\ndefense and the country\'s economic security, the President has established a\nCommission to address both physical and cyber threats to the country\'s critical\ninfrastructure(7). In addition, OMB is developing\nguidelines to give updated direction regarding the protection of Government\ninformation. Further, NRC has on-going and planned initiatives addressing various\ncomputer security concerns. NRC has recently tested the security of its local\nand wide area network and is addressing the findings of those tests through\nits network upgrade. Also, NRC is studying the possibility of developing networks\nthat can safely process classified information.\nConclusions\nWe believe the actions taken by NRC have adequately addressed our prior recommendations\nand go a long way to strengthen the security of NRC\'s sensitive information\nsystems. On-going initiatives in this area may significantly affect NRC\'s computer\nsecurity program in the future. As guidance and recommendations may be forthcoming\nfrom the Presidential Commission, as well as from OMB or as a result of a NRC\ninitiative, we have decided not to conduct further work at this time. We will,\nhowever, follow up on this area at a later date, when NRC initiatives and Executive-level\nguidance are complete.\nObjectives, Scope, and Methodology\nThe objectives of this survey were (1) to follow up on prior audit recommendations(8) regarding the NRC computer security program and (2) to gather current information on NRC\'s protection of its sensitive information systems.  We interviewed officials in the Offices of Information Resources Management, Nuclear Reactor Regulation, Nuclear Materials Safety and Safeguards, Comptroller, Personnel, and Administration.  We reviewed the current Office of Management and Budget guidance, the Computer Security Act of 1987, Executive Order 13010, and  the Information Technology Management Reform Act of 1996.\nWe examined the management controls for NRC\'s information systems security program.  To evaluate these controls, we reviewed NRC  Management Directive and Handbook 12.5, "NRC Automated Information Systems Security Program", and tested its implementation on a sample of sensitive information systems.\nThis survey was performed in accordance with generally accepted Government\nauditing standards during the period December 1996 through January 1997 at NRC\nHeadquarters.\nMajor Contributors to this Report\nCorenthis B. Kelley, Team Leader\nJudith L. Leonhardt, Senior Auditor\nGlossary: Office of the Inspector General Products\nInvestigative\n1. Investigative Report - White Cover\nAn Investigative Report documents pertinent facts of a case and describes available evidence relevant to allegations against individuals, including aspects of an allegation not substantiated.  Investigative reports do not recommend disciplinary action against individual employees. Investigative reports are sensitive documents and contain information subject to the Privacy Act restrictions.  Reports are given to officials and managers who have a need to know in order to properly determine whether administrative action is warranted.  The agency is expected to advise the OIG within 90 days of receiving the investigative report as to what disciplinary or other action has been taken in response to investigative report findings.\n2. Event Inquiry - Green Cover\nThe Event Inquiry is an investigative product that documents the examination of events or agency actions that do not focus specifically on individual misconduct.  These reports identify institutional weaknesses that led to or allowed a problem to occur.  The agency is requested to advise the OIG of managerial initiatives taken in response to issues identified in these reports but tracking its recommendations is not required.\n3. Management Implications Report (MIR) - Memorandum\nMIRs provide a "ROOT CAUSE" analysis sufficient for managers to facilitate\ncorrection of problems and to avoid similar issues in the future. Agency tracking\nof recommendations is not required.\nAudit\n4. Audit Report - Blue Cover\nAn Audit Report is the documentation of the review, recommendations, and findings resulting from an objective assessment of a program, function, or activity.  Audits follow a defined procedure that allows for agency review and comment on draft audit reports.  The audit results are also reported in the OIG\'s "Semiannual Report" to the Congress.  Tracking of audit report recommendations and agency response is required.\n5. Special Evaluation Report - Burgundy Cover\nA Special Evaluation Report documents the results of short-term, limited assessments.\nIt provides an initial, quick response to a question or issue, and data to determine\nwhether an in-depth independent audit should be planned. Agency tracking of\nrecommendations is not required.\nRegulatory\n6. Regulatory Commentary - Brown Cover\nRegulatory Commentary is the review of existing and proposed legislation, regulations, and policies so as to assist the agency in preventing and detecting fraud, waste, and abuse in programs and operations.  Commentaries cite the IG Act as authority for the review, state the specific law, regulation or policy examined, pertinent background information considered and identifies OIG concerns, observations, and objections.  Significant observations regarding action or inaction by the agency are reported in the OIG Semiannual Report to Congress.  Each report indicates whether a response is required.\n1. Significant Weaknesses Hamper NRC\'s Computer Security Program,\nOIG/92A-18, December 15, 1992.\n2. Significant Weaknesses Hamper NRC\'s Computer Security Program,\nOIG/92A-18, December 15, 1992.\n3. Sensitive information includes information that, if improperly used or disclosured, could adversely affect the ability of an agency to accomplish its mission.  It requires protection due to the risk and magnitude of loss or harm that could result from its inadvertent or deliberate disclosure, alteration, or destruction.\n4. Certification is the technical evaluation (made as part of and in support of the accreditation process) that establishes the extent to which a particular computer system or network design and implementation meets a pre-specified set of security requirements.\n5. Accreditation is the authorization and approval granted to an automatic data processing system or network to process sensitive data in an operational environment.  The decision is made on the basis of a certification by designated technical personnel of the extent to which design and implementation of the system meet pre-specified technical requirements for achieving adequate data security.\n6. Configuration management is the use of appropriate procedures for controlling changes to a system\'s hardware and software structure for the purpose of ensuring that such changes will not lead to a decrease in data security.\n7. The Commission on Critical Infrastructure Protection established by Executive Order 13010.  Infrastructure includes telecommunications, electrical power systems, transportation systems, emergency services, and continuity of Government.\n8. Significant Weaknesses Hamper NRC\'s Computer Security Program,\nOIG/92A-18, December 15, 1992.\nPage Last Reviewed/Updated Thursday, March 29, 2012\nHome\nNews Releases\nEvent Reports\nADAMS\nOpen Gov\nDigital Government\nStudents & Teachers\nPhotos & Video\nFor Developers\nAbout Us\nStrategic Plan\nBudget & Performance\nPerf & Accountability Rept\nHistory of the NRC\nCareer Opportunities\nNRC Ethics\nAgency Status\nContact Us\nPopular Documents\nInfo Digest\nFactsheets & Brochures\nForms\nElectronic Submittals Application\nNRC Reports \xe2\x80\x93 NUREG\nNRC Regulations \xe2\x80\x93 10-CFR\nInspection Reports\nPlain Writing\nEnforcement Actions\nRULEMAKING\nStay Connected\nBlog\nChat\nTwitter\nYouTube\nFlickr\nGovDelivery\nRSS\nRegulations.gov USA.gov Recovery FOIA No Fear EEO Inspector General  Site Map Accessibility Privacy Policy Site Disclaimer For Employees'